PDA

View Full Version : vBulletin 5 Security Patch: 5.0.2 PL1


vB.Org System
05-22-2013, 10:05 PM
This patch addresses three important issues. All were found after the launch of 5.0.2.

One fix corrects the importing of closed threads.
Another fix addresses a potential infinite redirection loop that could possibly occur in the conversation route.
A method was repaired when it was found to be vulnerable to a potential SQL Injection.

This patch affects only vBulletin 5.0.2. vBulletin 3, vBulletin 4, vBulletin 5.0.0 and vBulletin 5.0.1 are not affected.

It's highly recommend you take advantage of this patch.

New downloads of vBulletin 5.0.2 (and beyond) include all these updates. There is no need to utilize the steps below if you downloaded vB 5.0.2 today after 3:30PM PT or beyond.

For vBulletin 5 Customers running 5.0.2, to install the vBulletin 502pl1 patch

Please install the patch immediately.

Download the patch from https://members.vbulletin.com/patches.php.
Extract the vBulletin patches files from the Zip file.
Upload the patch files to your server, overwriting the old files.
After you've downloaded the patch and applied it to your vb5 forum, you should also run http://yourforum.com/core/install/upgrade.php?version=502&only=1 to apply the fix.

Note: If you had previously deleted your entire /core/install/ directory you will need to re-upload it (except for install.php) in order to run the upgrade.php script. Once complete, delete the directory again.

As with all security related releases, we recommend all affected customers upgrade as soon as possible.

Advanced Users

Files updated in vBulletin 502pl1 patch

core/includes/version_vbulletin.php
core/install/includes/class_upgrade_502.php
core/install/upgrade_language_en.xml
core/packages/vbinstall/db/mysql/querydefs.php
core/vb5/route/conversation.php
core/vb/api/node.php
core/vb/api/route.php

After you've updated these files, you should also run http://yourforum.com/core/install/upgrade.php?version=502&only=1 to apply the fix.

Please note this list does not contain the files changed in any previous patches for these versions. Only the files changed in vBulletin 502pl1 patch are listed.

Licensed customers may discuss the security patch here (http://www.vbulletin.com/forum/forum/vbulletin-sales-and-feedback/licensed-customer-feedback/3971261-vb5-security-patch-502pl1-discussion-thread#post3971261).

Thank you.